All Questions
Tagged with have-i-been-pwned passwords
14
questions
0
votes
0
answers
422
views
How to find out which data breach my password was in?
HIBP and my password manager both claim that a password that I am using has been seen in a data leak.
Neither of them provide information about which data leak exactly my password was seen in.
The ...
16
votes
4
answers
4k
views
Should one reject login attempts when the correct password is newly added to a password deny list?
Best practices say that when users choose a password (at signup or when changing an existing password), the application should reject that password if it appears on a list of passwords known to be ...
1
vote
1
answer
234
views
Databases for compromised passwords that browsers use
I am looking into databases of compromised passwords in order to ensure that passwords on a system I am responsible for are not already compromised.
To have complete peace of mind, I prefer to get ...
1
vote
2
answers
334
views
Is it a good idea to check if the password provided at registration is leaked on any lists? And then, prevent the user from using it?
A while ago, I was tipped off that it's a good idea to check if the password provided at registration is contained in any list of leaked passwords. I'm not in the information security field, but I ...
3
votes
2
answers
206
views
Is this (explained in body) a possible attack vector when using haveibeenpwned API?
I'm currently working on understanding and contemplating to implement password strength validation for sign ups in my app, to include checking haveibeenpwned if entered password is compromised ...
61
votes
6
answers
13k
views
Is there a reason why I should not use the HaveIBeenPwned API to warn users about exposed passwords?
There's lots of talk about the HaveIBeenPwned password checker which can securely tell users if their password appears in one of their known data dumps of passwords.
This tool has a publically ...
52
votes
10
answers
18k
views
Is using haveibeenpwned to validate password strength rational?
I have been hearing more and more that the haveibeenpwned password list is a good way to check if a password is strong enough to use or not.
I am confused by this. My understanding is that the ...
2
votes
2
answers
924
views
Is haveibeenpwned (HIBP) free and reliable? [closed]
I have just started to explore HIBP to check whether we can use HIBP in our public facing interfaces.
AS per my read I have 3 options to check out.
Download the password dictionary and implement my ...
1
vote
0
answers
113
views
Are there any reliable and updated sources or feeds for password dumps? [closed]
I am looking for any reliable, up-to-date sources (which may be RSS feeds, websites, or anything else OSINT-based) which contain password dumps and their relative links.
I am looking particularly for ...
1
vote
1
answer
147
views
How did my exact name + birthday end up in PwnedPassword lists? [closed]
I find my exact name + birthday in the form of FirstnameMiddlenameSurnameDayMonthYear, e.g. JamesWilliamMiller31052000
in the PwnedPasswords List.
But I have a very uncommon Surname (<100 people) ...
66
votes
10
answers
25k
views
Why check your email in haveibeenpwned rather than regularly changing your password regardless of any leaks?
There's a lot of news right now about haveibeenpwned but I don't understand why people need a service like that in first place. If you're a security conscious user, you'd change your passwords ...
105
votes
7
answers
145k
views
Is it safe to give my email address to a service like haveibeenpwned in light of the publication of "Collection #1"?
There is a new big case of stolen login/password data in the news. At the same time, I am reading that there are services that let you check if your own login data is affected, e.g.
Have I Been Pwned.
...
41
votes
3
answers
19k
views
Is it safe to check password against the HIBP Pwned Passwords API during account registration?
User registers account on a web app. Passwords are salted and hashed.
But is it safe to check the password against the HIBP Pwned Passwords API, before salting and hashing it? Of course the app uses ...
158
votes
8
answers
61k
views
Is "Have I Been Pwned's" Pwned Passwords List really that useful?
My understanding of Have I Been Pwned is that it checks your password to see if someone else in the world has used it.
This really doesn't seem that useful to me. It seems equivalent to asking if ...